More Control Flow Attacks & Defenses

Topics and Goals

• Format String Attacks
  • Identify and exploit format-string vulnerabilities
• Defenses and Limitations:
  • Explain how commonly deployed defenses work
  • Identify and exploit their limitations

Format String Attacks

• How do variadic functions work?

• Which format specifiers can be abused in an attack?

• How can we use a format-string vulnerability to:

  • View a specific memory address?
    • Why is this useful?
  • Write to a specific memory address?
    • Why is this useful?
  • Write a specific value to a specific memory address?

Control-Flow Defenses

• Stack Canaries/Cookies
  • How do they work?
  • What makes a good canary/cookie?
  • How can they be bypassed?
• Data Execution Prevention (DEP) / No eXecute (NX)
  • How does it work?
  • How can it be bypassed?
• ASLR
  • What does it do and why does it break standard attacks?
  • What are four classes of ASLR bypass?
    • Why would you choose one over the other?
  • Why is ASLR an incomplete defense in practice?